Cybersecurity has become a leading priority for manufacturers of embedded systems and IoT devices. The rapid proliferation of these technologies, combined with their increasing integration into critical infrastructure, has made them prime targets for cyberattacks. In response, the European Union created the Cyber Resilience Act (CRA) as a landmark regulation to protect the digital ecosystem and ensure security by design throughout the entire lifecycle of products with digital elements (PDEs).
The CRA establishes stringent requirements for manufacturers, addressing the entire lifecycle of connected products, from development to end-of-life. These measures exist to protect all users by minimizing vulnerabilities, fostering transparency, and ensuring the secure deployment of updates. For global manufacturers, aligning with these regulations is essential, as sweeping noncompliance penalties drastically affect business success. Adherence to the CRA’s security requirements is necessary to remain competitive in an increasingly regulated market.
Given the complexity and unique scope of the CRA, the regulation presents key challenges requiring proactive, actionable strategies to remain compliant throughout its enforcement. Successful industry players will adapt its processes to ensure security and transparency are at the forefront of every stage of the product lifecycle, and thereby, achieve compliance.
Essential requirements and key mandates of the CRA
The EU Cyber Resilience Act (CRA) establishes comprehensive requirements to enhance the cybersecurity of products with digital elements (PDEs), ensuring their security from design to decommission. These essential requirements, detailed in the annexes, outline measures that manufacturers must implement, including:
- Continuous monitoring: Manufacturers must continuously monitor its products for vulnerabilities, including conducting regular security tests and reviews.
- Transparency through SBOMs: A detailed, machine-readable Software Bill of Materials (SBOM) is required, providing an inventory of all software components and dependencies. This level of transparency enables full disclosure and timely vulnerability identification for any interested parties.
- Vulnerability disclosure mechanisms: Manufacturers must establish accessible and reliable channels for publicly reporting vulnerabilities, ensuring accountability and expediting resolution processes. Disclosure measures must report vulnerabilities through a single point of contact.
- Timely remediation via secure updates: Vulnerabilities must receive prompt remediation through secure software updates, made available to the general public immediately upon identification. Robust over-the-air (OTA) update systems are essential to deploy these patches quickly and efficiently without exposing devices to additional risks.
Together, the CRA measures emphasize a lifecycle approach to cybersecurity, mandating manufacturers integrate security throughout its products to maintain integrity and safety long after initial production. These requirements enhance the resilience and reliability of connected products while safeguarding the end user.
Classification of products
The CRA focuses on all “products with digital elements (PDEs)” sold in the European Union. Differing from other cybersecurity efforts, the CRA mandates its sweeping regulations to ensure the safety of these offerings. For products that perform a security function, Annex 3 delineates specific categories of PDEs with additional compliance requirements. Including a conformity assessment and auditing regulations, these categories fall under two classes:
- Class I products include software and hardware-software combinations essential for everyday cybersecurity and network management at the consumer level. Class I products encompass solutions like VPNs, antivirus software, password managers, and smart home security devices.
- Class II products include software and hardware-software combinations focused on critical cybersecurity functions at the enterprise level. Class II products focus on securing virtualized environments and ensuring robust system protection through means such as firewalls, intrusion detection systems, and tamper-resistant microprocessors.
The CRA’s expansive legislation lays the foundation for securing all products with digital elements through the aforementioned requirements. These security requirements are substantial lift, demanding preparation and further understanding of the scope and, most importantly, a manufacturer’s responsibility to achieve compliance successfully.
Scope of the CRA and its impact on different industries
The CRA’s scope is vast, covering a wide range of products, including:
- Internet of Things (IoT) devices, such as smart home systems and wearables.
- Embedded systems used in industrial automation and critical infrastructure.
- Software and firmware integral to connected devices, especially those concerning remote data processing.
The CRA focuses on ensuring that security measures are baked into products at every level, from hardware to software. Products with digital elements (PDEs) are everywhere in today’s consumer market, inadvertently creating possible attack vectors. Bolstering comprehensive security protects end users.
Excluded industries
While the CRA has broad applicability, some industries are exempt due to existing regulatory frameworks. These include:
- Medical Devices: Governed by the EU Medical Devices Regulation.
- Military Equipment: Subject to defense-specific legislation.
- Automotive: Already regulated under the UNECE WP.29 cybersecurity framework.
By carving out these exemptions, the CRA avoids redundancy and allows specialized regulations to handle industry-specific security challenges.
Although an EU regulation, the CRA’s implications extend far beyond Europe. Companies operating outside the EU must still ensure compliance in order to maintain access to the EU’s lucrative consumer base: the regulation applies if a company sells products in the EU. Perhaps similar to GDPR, this will, in turn, create a ripple effect, encouraging the adoption of CRA-aligned practices across the globe and setting a higher standard for cybersecurity worldwide.
Challenges in complying with the CRA
The CRA’s requirements center around providing security and traceability throughout the lifecycle of a PDE; the legislation outlines key points that present challenges to manufacturers looking to comply, including:
Secure by default
The CRA mandates a secure by default approach, requiring manufacturers to prioritize security at the design stage and throughout the product lifecycle. Manufacturers must build products that are inherently secure, with configurations optimized for cybersecurity rather than user convenience or time-to-market, for example. While requiring design-level security ensures a stronger baseline of protection, it can significantly increase development time and costs, especially for organizations without adequate security practices. Balancing functionality, usability, and security is particularly challenging for resource-constrained manufacturers.
SBOM maintenance
Compiling a machine-readable Software Bill of Materials (SBOM) is a pivotal requirement of CRA compliance. Notably, maintaining an accurate and up-to-date SBOM across complex supply chains requires substantial preparation. Software components often originate from multiple vendors, open-source libraries, or third-party suppliers, each with its own update cycles and vulnerabilities. The fragmented software ecosystem creates difficulties in tracking component changes, ensuring compatibility, and responding promptly to emerging threats.
Vulnerability disclosure
The CRA requires transparent and timely vulnerability disclosure processes, enabling stakeholders to identify and report risks effectively. However, managing this process without compromising proprietary information or customer trust can be challenging. Manufacturers must establish secure communication channels, balance speed with accuracy, and coordinate with affected parties to resolve issues without introducing new risks.
Secure updates
Delivering reliable over-the-air (OTA) updates is critical for addressing vulnerabilities and maintaining compliance. However, ensuring the security and integrity of these updates is no small feat. Manufacturers must implement robust mechanisms to authenticate updates, protect against tampering, and provide seamless deployment across diverse devices and environments. Any lapse in these areas could lead to compliance violations or, worse, expose devices to further exploitation.
Proactive strategies for CRA compliance
Manufacturers must adopt a proactive and integrated approach to device security to overcome CRA compliance challenges. While pushing to align with the CRA, common security best practices stand to bolster compliance, including:
Proportionate security processes to cybersecurity risk
As the crux of the CRA, integrating security into the product development lifecycle is the core proactive success strategy. A shift-left approach, where security considerations are embedded early in the design and development phases while there is an ongoing process to test and remediate, ensures that vulnerabilities are addressed before they reach production. Proportionate security processes and policies like security assessments, automated testing tools, and secure coding practices must be defined compared to the product cybersecurity risk level. Doing so lowers the risk of vulnerabilities in design and shortens the time to remediate them when they occur while products are in production.
System and process integration
Compliance efforts often fail due to fragmented systems and misaligned processes. By integrating tools and aligning teams, manufacturers can work to create a unified security ecosystem. Centralized dashboards for tracking SBOMs, vulnerabilities, and update deployments provide real-time visibility, enabling faster decision-making and reducing the likelihood of errors or oversight.
Adopting secure by default practices
Building secure by default products involves adopting security best practices at every stage of development. These include secure boot processes, encryption, access controls, and minimizing the attack surface of devices. Additionally, regular security audits and penetration testing ensure that products maintain high-security standards throughout their lifecycle. A secure by default approach not only meets CRA requirements but also builds customer trust and reduces long-term maintenance costs and brand risk.
Leveraging robust OTA solutions
Professional over-the-air (OTA) update solutions are necessary for efficient security and compliance management of PDEs. These solutions are the backbone of device security, providing a secure and scalable way to deliver patches, feature updates, and configuration changes. By leveraging robust OTA platforms, manufacturers can ensure updates are cryptographically signed, tamper-proof, and deployed seamlessly across diverse device fleets. A proactive approach to software updates addresses vulnerabilities promptly and reinforces trust in connected products.
Strengthening security in a connected world
The Cyber Resilience Act (CRA) is a comprehensive initiative toward fostering a secure and trustworthy global digital ecosystem focused on security and transparency. By adhering to its mandates, manufacturers play a crucial role in advancing cybersecurity standards, safeguarding consumer interests, and driving innovation across industries, in addition to avoiding severe noncompliance penalties that have the potential to fully remove an offering from the European market.
The CRA sets a clear roadmap for integrating robust security practices into every stage of a product’s lifecycle. Overall, it presents an opportunity to demonstrate leadership in building resilient and secure products that meet rising global expectations. Aligning with the CRA ensures regulatory adherence while strengthening an organization’s market position, establishing it as a pioneer in creating a safer, more resilient, connected world.
About the Author
Eystein Stenberg is the CTO of Northern.tech, a leader in device lifecycle management, and the creator of Mender, the market-leading solution for robust, secure, and customizable over-the-air (OTA) software updates.
Eystein can be reached online at:
Email: [email protected]
LinkedIn: https://www.linkedin.com/in/eysteinstenberg/
Company Website: https://northern.tech/